7c486492c8
programs: pipewire: port sandbox to bwrap and restrict further
2024-02-25 15:19:57 +00:00
890b41f563
programs: pipewire: sandbox
...
still need to sandbox wireplumber
2024-02-25 14:34:11 +00:00
ca36fe1b96
programs: gnome.seahorse: sandbox
2024-02-25 12:03:42 +00:00
d2df668c9e
modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts>
2024-02-25 12:00:00 +00:00
b7921ac41b
refactor: programs: sort
2024-02-25 11:53:49 +00:00
c304367e21
programs: gnome-maps: sandbox
2024-02-25 11:51:50 +00:00
2ad33a49df
refactor: pipewire: remove dead code
2024-02-25 10:38:42 +00:00
0b4efd2ab2
pipewire: migrate services to sane.programs to completely disable socket activation
...
see: https://github.com/NixOS/nixpkgs/issues/291318
2024-02-25 10:36:21 +00:00
0745e9fc06
refactor: programs: split gnome-maps into own file
2024-02-25 09:06:32 +00:00
e0267b5669
programs: pipewire: disable socket activation
2024-02-25 08:55:59 +00:00
b3c7aac8c5
programs: wike: sandbox: enable DRI to fix graphical glitches
2024-02-25 08:38:10 +00:00
c788596c45
programs: sane-private-do: grant net access
...
crucial for e.g. sane-private-do git push
2024-02-25 08:25:13 +00:00
6865331b48
programs: sandbox sane-scripts.private-do
2024-02-25 05:41:27 +00:00
04a6055d06
remove /libexec from environment.pathsToLink
2024-02-25 05:12:44 +00:00
f714bd8281
programs: jq: sandbox
2024-02-25 01:59:01 +00:00
73b2594d9b
programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent"
2024-02-25 01:59:01 +00:00
0f1ad0f3c9
fs: auto-mount /mnt/<host>/home and enable "follow_symlinks" option
2024-02-24 16:04:04 +00:00
eecb98e2ee
programs: bonsai: fix eval error
2024-02-23 16:00:32 +00:00
6267e7f966
tidy up small persist/private nitpicks
2024-02-23 14:44:38 +00:00
120a41b169
persistence: split /var/log persistence into dedicated "initrd" store
2024-02-23 14:42:47 +00:00
aa0991bd6c
persistence: cleanup so it all works well with symlink-based stores
2024-02-23 13:09:44 +00:00
62b39bf01e
firefox: integrate the "persist" config into "sane.programs"
2024-02-23 11:23:41 +00:00
0d8307e877
programs: gnome-keyring: sandbox
...
and now secrets are readable again. they were broken for the last ~10 commits :)
2024-02-23 09:49:35 +00:00
9b1a2ae9bb
programs: mpv: remove useless "extraRuntimePaths = []" override
2024-02-23 09:32:19 +00:00
b8b805765b
programs: gnome-keyring-daemon: remove the SUID wrapper
...
it's not actually mandated. just, when enabled, gkd will `mlock` its
secrets into memory. but i don't use swap anyway. plus, i'll enable that
momentarily anyway (though systemd will probably not understand the
capablity)
2024-02-23 09:28:41 +00:00
84eae20765
gnome-keyring: don't integrate with PAM
...
PAM integration is only required if the keyring is encrypted on-disk
2024-02-23 09:15:30 +00:00
4a10c5f729
gnome-keyring: start as systemd service explicitly, not as implicit dbus service
2024-02-23 09:09:54 +00:00
c2696c1cd9
gnome-keyring: use sane.fs abstractions to write out the keyrings
2024-02-23 08:57:41 +00:00
ea6f45555c
gnome-keyring: simplify the scripts (untested)
2024-02-23 08:14:09 +00:00
687db545b4
gnome-keyring: move persistence and init script to sane.programs
2024-02-23 07:22:07 +00:00
24d1d13d0a
programs: simplify sandboxing of file browsers/etc now that private data lives on a different mount
2024-02-23 07:06:29 +00:00
2ada436634
home: remove ~/private symlink; move to .persist/private and add related aliases
2024-02-23 07:06:29 +00:00
e5ad0862fb
refactor: move ~/ fs definitions into hosts/common/home, not users/
2024-02-23 07:06:29 +00:00
057b9e3fed
replace links/references to ~/private/FOO with just ~/FOO
2024-02-23 07:06:29 +00:00
1bcfccf7e3
refactor: persist ~/knowledge formally instead of relying on the symlink
2024-02-23 07:06:29 +00:00
a402822084
move "private" store to /mnt/persist/private instead of ~/private
...
this will allow me to add all of ~ to a sandbox without giving all of ~/private
2024-02-23 07:06:29 +00:00
771dc2e1ce
fs: allow common /mnt points to be mounted by me without sudo
2024-02-23 07:06:29 +00:00
4a316d4b91
bonsai: lift out of sxmo
2024-02-23 07:06:29 +00:00
af03b3f6e8
xwayland: sandbox
2024-02-23 01:05:24 +00:00
5819f07181
programs: xwayland: sandbox
2024-02-22 22:12:03 +00:00
122f3fa5cc
sway: remove xwayland-specific placement of Signal
...
it breaks non-xwayland sway config parsing, and Signal is native Wayland now anyway even with Xwayland running'
2024-02-22 22:01:48 +00:00
f27f994090
systemd: fix the timeout for the user service manager
2024-02-22 00:24:05 +00:00
473999c001
sway: re-enable networkmanager
2024-02-21 23:46:25 +00:00
d1de9efde1
sway: port xwayland use to sane.programs API
2024-02-21 23:32:10 +00:00
50c3f04714
pipewire: remove dead alsa comments
2024-02-21 23:26:40 +00:00
49bad8f186
sway: split pipewire persisted file into pipewire.nix
2024-02-21 23:26:25 +00:00
fd9f500e97
sway: split pipewire config into separate sane.programs.pipewire
2024-02-21 23:23:52 +00:00
386651044e
sway: port to sane.programs API
2024-02-21 23:18:57 +00:00
55a6c828f2
sway: lift portal/menu reset into polyunfill.nix
2024-02-21 22:09:53 +00:00
d77a12ce7b
unl0kr: remove the "afterLogin" option and choose automatically which desktop to launch
2024-02-21 20:47:48 +00:00